If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

You could restore AD from a backup made when you had that distribution still in AD, though this is a hairy operation and is not something I would want to try if I were new to AD. Heck, I don't even want to try it and I have been working with AD almost since it came out. Too many things can go horribly wrong to mess with it IMHO.

Roadclosed- I believe you are getting the way exchange5.5 works confused with the way exchange2k works. There is no directory service in exchange 2k so all address book entries(read distribution lists) live in AD..

The idea of a distribution list really went away with AD, they are now called groups. You either have global security groups and universal security groups. The security groups can be used to do a wide variety of things. You can assign NTFS permissions through groups, or you can use them as a distribution list in combination with E2k. You can also have groups that are not security groups, but I have found that making all groups security groups is much easier in the long run as you can use them universally for DL's or applying permissions.

Therefore, you cannot "move" a distribution list from one exchange server to another. The "physical" location of the group is inside of the AD directory and it will be replicated amongst all GC/DC's. Hell, even in Exchange5.5 you could not move a distribution list as the list was homed to a site, and not any particular server.

The easiest way I have found to work with groups, ie. recovering groups and things of that nature, is to use MMS- microsoft metaserver.. MMS is designed to allow you to import external directories into AD, or to import AD information out to other directory services. For instance, at my company we have a corporate HR database that contains all employee information. We then populate AD with the information in that database using the HR database. This way if an employees phone number changes all you have to do is make the change in the HR database and then all of the downstream directories are updated with 24 hours.

The side benefit of doing this is that we have a snapshot of just about everything inside of AD, in terms of users and groups, taken everyday. We store that data for several days. Then if somebody accidentally deletes and extremely large group, we can use an LDAP call to push all of that information back into AD. The one problem with this is that the SID of the group will change, so you will have to reassign permissions if you were using the group as a security group. If you were only using that group as a distribution list it will appear back into the GAL exactly as it did before.

The short answer is that no, there is no type of recovery for AD groups automatically. If you were to delete the user account associated with an Exchange mailbox you can recreate the AD user account and reassociate the mailbox to the account within 30days(I believe that is the default setting.) However, once again the SID has changed, so you would have to reassociate any permissions to the account.

The other option, what I believe UXO is referring to, is called an authoritative restore. What you do here is restore the AD database on a GC and specify an authoritative restore. Once that restore is done the GC will tell the other dc/gc's in your environment that they all need to match what is in that newly restored GC. The other GC/DC's roll back all changes that have occured past the last USN(update sequence number) on the newly restored AD database. This results in all changes that have occured to AD to be lost past the point of the backup being taken. If you are operating in an extremely small environment that has very little changing in your AD, this may be a legitimate option.
how to do an auth. restore-http://support.microsoft.com/default...b;en-us;241594
potential impacts of an auth. restore-http://support.microsoft.com/default...b;en-us;216243

If you are not sure, just rename the group (or object) to keep it with its default attributes (except name of course)
For example you have a group name AtlantaSalesDept
if u want to maintain it and would like to have a fault back option:
rename AtlantaSalesDept to other name --&gt; bkp_AtlantaSalesDept
Create the new one or copy bkp to AtlantaSalesDept
if u want to rollback just delete new and rename old back
its kinda stupid but it will work

its really better than an AD restore, even with a tool that can restore object one by one.
(traumma with AD restore here)